SDB:OpenSSH agent

This article or section refers to the version '11.0' and it is now obsolete!Please refer to this article's discussion page for more information.

The SSH agent can provide you with both an easy and secure way of using public key authentication with SSH. It allows you to still use password-less remote SSH logins, while having your public keys locked by a password. This article explains the principle and use of the ssh-agent program.

Contents

How it works

When ssh-agent is started, it will accept the input of new keys and provides these keys again trough a socket. This socket is only available for sub-processes of ssh-agent. This means ssh-agent must be invoked with another command as argument. This can be a shell or your complete X desktop. After ssh-agent is started, the program ssh-add can be used to add your private keys to the ssh-agent.

Basic invocation

In the following example ssh-agent is started from the command line, with bash as argument. This starts a bash session inside your current one, with ssh-agent in the background.

$ ssh-agent bash

Ssh-agent will keep running, until the sub shell bash is closed.

$ exit

This will terminate the bash session and ssh-agent.

Add your keys

You can use ssh-add to send your keys to the agent. Ssh-add only works if it can find the open socket. So it has to be executed in a sub shell of ssh-agent, like in the example above.

$ ssh-add

This command will look for the files ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/identity and automatic add them. You will be prompted for your key's password if one is set. (That's usually the reason why one would choose to use ssh-agent.) The ssh-add command must be executed every time the ssh-agent is started.

Automatic starting

There are two ways of automatic starting: by means of a custom xsession or by PAM

If a custom xsession is used: You can let your keys expire after some time. After this time they have to be re-opened again with ssh-add. You can set up user-specific scripts for loading ssh-agent and your Desktop environment. You can automaticly load custom named keys by changing the ssh-add syntax in your scripts. Auto starting the ssh-agent only happens for this custom session. If you login to any other Desktop environment or shell, you will need to load the agent manually, or let it load trough a specific rc script like. ~/.bashrc If you want to change to an other desktop environment and still auto-load ssh-agent, you will need to modify your .xsession script, instead of simply selecting an other session in your login display. You will have to create a separate .xsession file for every user that needs to make use of the ssh-agent When a user logs in, he has to type an additional password for the keys, for which he will be prompted.

If PAM is used:Ssh-agent will be started for any way of login. (Desktop environments and shell) Ssh-agent will be started for every user upon login. You can login using the password set for your private key, meaning you only need to type a single password. You can choose not to start the agent, by typing your system password instead of the key's password. Keys can not be set to expire, so you need to lock your screen if you want to prevent someone to use your keys. (Yet they cannot steal it to put it on there own system) Only default named keys can be loaded automatic, and this will be only the key where you entered the password for.

Custom xsession

If you choose to set up a custom xsession, the following package need to be installed:

After typing your script, save and exit your editor and make ~/.xsession executable.

$ chmod +x ~/.xsession

Running your custom xsession

If you now would logout or reboot your system, you will see your Login screen. This can by KDM, GDM, LXDM or any other kind of DM. In this DM you can choose which desktop environment should be loaded for this session. You should choose custom here. Custom runs the earlier created ~/.xsession script upon login.

When your desktop environment is loaded, you should be prompted by a ssh-askpass dialogue, where you can enter the password(s) of your key(s). Upon success your keys will be unlocked and you can now login to your remote host, without having to use any passwords

If you failed to provide a valid password, ssh-askpass will close without adding the keys to your agent. If you would like to try again, you can run ssh-add from the command line and supply your password there.

Setting PAM

Warning: The sections below have not been tested and are probably not correct for current OpenSUSE versions. This article is currently being re-written. Please check the discussion page for more info.